IPSec Routing Problem

Unanswered Question
Jan 30th, 2008

Hi All,

We have successfully configure site to site IPSec. If interesting traffic hits the outgoing interface, the tunnel comes up on both ends, you can also see packets been encrypted.

I'm having routing problems local, I don't have route that points local remote traffic via the IPSec VPN.

remote peer: 89.3.2.1

remote local: 192.168.1.0/24

local peer: 50.3.3.1

local private: 10.2.5.0/24

tried the following locally:

ip route 192.168.1.0 255.255.255.0 89.3.2.1

'didn't work'

ip route 192.168.1.0 255.255.255.0 50.3.3.1

'didn't work'

Please help!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/31/2008 - 00:56

Hi

You don't need a route for this traffic. The crypto map access-list tells the router/firewall which traffic needs to be encrypted. If a packet matches the crypto access-list it is encrypted and automatically sent down the tunnel.

Jon

dcarlton Thu, 01/31/2008 - 05:45

Are you using crypto maps? What does your interesting traffic access look like?

Eliufoo.Mahinda Thu, 01/31/2008 - 06:07

I'm using crypto maps. My local access list is

access-list 144 permit ip 10.2.5.0 0.0.0.255 192.168.1.0 0.0.0.255

If I run "show access-list 144" I can see interesting traffic. Also, if i run "show crypto engine connection active" I can see traffic been encrypted. But, I don't have {192.168.1.0/24} route in the routing table. And traffic is not going through the tunnel.

cisco24x7 Thu, 01/31/2008 - 10:55

do this:

1- under your crypto map, you need this:

reverse-route

2- do sh ip route, you will see a static route

in the routing table,

3- redistribute that static route into your

routing protocol so that downstream router(s)

can see it,

4- test again

CCIE Security

Eliufoo.Mahinda Fri, 02/01/2008 - 00:06

Now, I've the route into my routing table and I still can't reach the remote end.

If i run a traceroute from the local host, it stops at my internal router interface. Where else should I check?

i. My VPN is up

ii. Route to remote host is available

dcarlton Fri, 02/01/2008 - 04:41

When you did the trace route, what did you use for the source interface? This source interface has to have a match in the access list.

Eliufoo.Mahinda Sun, 02/03/2008 - 22:23

I'm running a trace route from 10.2.5.2 (a local node).

If I run a ping test to 192.168.1.6 (active remote node), the acl sees the interesting traffic, brings up the VPN and Encaps destn traffic. But i still don't reach the remote node.

kaachary Mon, 02/04/2008 - 08:40

You traffic has already left the device if you see encrypts. It seems either the replies are not coming back from the other end, or the packet drops after it leaves the local device.

Do you see encrypts/decrypts on the other end of the tunnel ?

Source a ping from the LAN intf of VPN device itself, and ping the remote ends LAN interface (provided it is part of crypto ACL).

HTH,

-Kanishka

Eliufoo.Mahinda Sun, 02/10/2008 - 21:25

SOLVED!!! :-)

After writing some emails to my ISP, manage to see remote encry traffic.

Thanks everyone.

Actions

This Discussion